| |||||||||||||
Merry Christmas from FreeBSDMerry Christmas from FreeBSDPosted Dec 23, 2011 20:39 UTC (Fri) by mikov (subscriber, #33179)Parent article: Merry Christmas from FreeBSD
Telnet is not as rare as we may think.
I recently encountered a couple of relatively important companies (which shall remain unnamed, sadly) selling and using Linux software, who to my utter shock were using Telnet pervasively and were mostly unaware of ssh. Perhaps this isn't surprising given that they also (ab)used VNC for remote access to Linux workstations.
This is not exactly related to FreeBSD, but here goes: Linux has gained a lot of ground, especially in the embedded arena, but with that also comes a lot of incompetence, and it is staggering. It is a far cry from what we might imagine on LWN. Merging with the mainline kernel - pfffft - nobody is even aware of a "mainline" or even "kernel". GPL - never heard of it. Some people actually do believe that you do not have to follow the GPL if you pay some amount of money to "Linux". WTF? It is all a disgusting mess of binary drivers and GPL violations.
Lastly, nobody actually uses Linux for development. Embedded software is developed on Windows with Visual Studio (not even Cygwin - nobody has heard of Cygwin) and only occasionally tested on Linux (in a VM of-course - Linux on actual hardware is scary). Binaries, shared libs, configuration files and even logs are all stored in the same directory in true Windows fashion. Of course shared libs exist multiple times (.so, .so.1, .so.1.2, etc) because nobody knows about symbolic links and they copied the files with Windows Explorer.
I am truly depressed. I hope I have observed an exception, but I doubt it.
On the bright side, it means more job security LWN readers :-)
(Log in to post comments)
Merry Christmas from FreeBSD Posted Dec 23, 2011 21:25 UTC (Fri) by jd (guest, #26381) [Link]
I've seen similar across other Linux-using companies. Awareness isn't what it [c|sh]ould be. However, the problem isn't limited to Linux. I've seen plenty of *BSD admins advocate telnet.
Probably one of the scariest situations was where an organization who shall not be named refused to run SSH but used RSH with .hosts files because that was "more secure". I spent about a week sobbing into my beer.
Merry Christmas from FreeBSD Posted Dec 23, 2011 23:00 UTC (Fri) by mordae (subscriber, #54701) [Link]
I usually run away. And learn that it's the same s... over there as well.
Seriously, do people screw up this much in other areas as well? Or is it IT specific?
Merry Christmas from FreeBSD Posted Dec 23, 2011 23:28 UTC (Fri) by jd (guest, #26381) [Link]
It seems pretty universal. I've seen similar... phenomena in many other fields. The Guardian newspaper over in the UK did a series of articles on risk assessment and achievement assessment, which claimed to show that people are bad at both.
To bring this back to IT, it does demonstrate (to me, anyways) that we do need something analogous to Formal Methods. We need objective tools and techniques for ensuring the correctness of what is done meets the desired standard. Formal Methods are not much used because they are difficult to use well and transfer almost the entire effort into getting things right the first time.
(Consider how long it takes a project in Linux to go from first idea to an ultra-stable form, along with all the developers and testers it needs to do that. Now make that the up-front cost before anything is released at all.)
Merry Christmas from FreeBSD Posted Dec 24, 2011 8:07 UTC (Sat) by mordae (subscriber, #54701) [Link]
Yeah, we need to fix the insane hunt for low costs first. :-\
Merry Christmas from FreeBSD Posted Dec 24, 2011 9:27 UTC (Sat) by oldtomas (guest, #72579) [Link] [...] it does demonstrate (to me, anyways) that we do need something analogous to Formal Methods.I respectfully disagree. Formal Methods is a tool. What we need is education and culture. Tools without the corresponding culture tend to evolve into monstrous red tape generators. Have you witnessed an Agile Team in a big corp lately? People have to understand and approve the tools they use.
Merry Christmas from FreeBSD Posted Dec 24, 2011 17:21 UTC (Sat) by dsimic (subscriber, #72007) [Link]
It shouldn't be specific to the IT. People are just lazy / stupid and don't see
the difference in doing something the right or the wrong way.
And it's much harder to spend a lot of time doing something the right way.
Merry Christmas from FreeBSD Posted Dec 26, 2011 16:19 UTC (Mon) by Trelane (subscriber, #56877) [Link]
> And it's much harder to spend a lot of time doing something the right way.
> And it leaves much less time for posting s**t on Facebook. ;)
Funny because it's true:
Merry Christmas from FreeBSD Posted Dec 25, 2011 8:56 UTC (Sun) by elvis_ (subscriber, #63935) [Link]
I am a long time linux user but don't work in the IT field, I can assure you it is universal. I explain it to my business partner (who is somewhat of a perfectionist) by... remember all those kids who were dumb as a box of hammers in school, they all have jobs and some of them are in charge!!!! deal with it.
Apologies in advance to those in advance to those with learning difficulties and the smart who were just plain bored, I didn't mean to offend you... and both of you should be able to work out the meaning anyway.
Merry Christmas from FreeBSD Posted Dec 28, 2011 14:17 UTC (Wed) by steffen780 (guest, #68142) [Link]
Very good explanation!
Merry Christmas from FreeBSD Posted Dec 24, 2011 4:45 UTC (Sat) by jmalcolm (guest, #8876) [Link]
I have also been surprised.
Just recently I decided to pursue formal certification on Cisco equipment. Modern Cisco routers and switches support SSH but it has to be setup. Telnet is the default.
What really surprises me though is that the Cisco training community uses Telnet heavily. The instructors in online courses Telnet around even after they show how to setup SSH. The craziest thing I have seen is companies that rent "rack-time", which is network access to real Cisco gear, using Telnet as the access method. Not only are they promoting Telnet as a standard practice to up-and-coming Network Engineers, they are trusting their business to it.
Given that I have always insisted on SSH even when logging into my home server or internal-only web servers, I was pretty surprised to find Telnet used so pervasively.
Cue for OpenWRT Posted Dec 24, 2011 14:34 UTC (Sat) by proski (subscriber, #104) [Link]
Perhaps OpenWRT should ban telnetd and use ssh from the beginning, even without a password, so that nobody is exposed to using telnet, even temporarily.
Merry Christmas from FreeBSD Posted Dec 26, 2011 0:32 UTC (Mon) by oblio (guest, #33465) [Link]
At least where I studied for the CCNA exams, they did use telnet.
*But* every time it was through a VPN connection. So telnet didn't really matter much, except for intranet password sniffing, maybe (IMO a much smaller risk).
Now that I think of it, there was a report about most company thefts being perpetrated by employees, so it would be a good idea to use SSH through VPN too :)
Merry Christmas from FreeBSD Posted Dec 26, 2011 16:44 UTC (Mon) by jmalcolm (guest, #8876) [Link]
Yes, I have seen telnet used on a VPN but this is not a problem as you say. I have also seen it used on the open Internet as well. Crazy town.
In a training environment though, I am surprised they do not stress the use of SSH purely as an educational point.
Then again, the only Cisco training I have been exposed to used 'cisco' as the password on all devices. So, clearly convenience was trumping any demonstration of security best-practices in general.
Merry Christmas from FreeBSD Posted Dec 26, 2011 16:45 UTC (Mon) by drag (subscriber, #31333) [Link]
If you want to try to prevent employee fraud your best bet is to monitor and log their activities on the company provided workstation.
Merry Christmas from FreeBSD Posted Dec 25, 2011 11:45 UTC (Sun) by Ben_P (subscriber, #74247) [Link]
The remote management for consumer 'high speed' modems on Time Warner in Central NY are also all over telnet. Raw unencrypted telnet over the wire. SSH is disabled by default but can be enabled by level 3 service techs.
For what it's worth, my modem was reporting an 8-10 year old version of OpenSSH with known remote vulnerabilities after the tech left it running.
|
|||||||||||||